Closed Bug 296626 Opened 19 years ago Closed 19 years ago

Deer Park crashes, when loads xml with xsl stylesheet(transforming to svg) crash [@ nsStyleContext::ApplyStyleFixups a00d3007 ]

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: sendmail.to, Assigned: bzbarsky)

References

Details

(Keywords: crash)

Crash Data

Attachments

(3 files, 2 obsolete files)

XSL File for text case
941 bytes, text/xml
Details
Test Case
209 bytes, text/xml
Details
get the frame in a usable state, delete if Init failed
2.26 KB, patch
dbaron
: review+
roc
: superreview+
brendan
: approval1.8b3+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050603 Firefox/1.0+

See attached files, wenn loading test.xml file, Deer Park will crash.
(I will attach also the detail.txt from the Feddback Agent if no one can
reproduce this Bug.)

Reproducible: Always

Steps to Reproduce:
1. Open Deer Park
2. load the _test_.xml file via Drag and Drop or URI
3. Deer Park crashes
Attached file Test XML File (obsolete) — 

    
    

    
  

      
      
      
      

        Attached file
          
        Test XSL File (obsolete)
        — 
      

    


  

    
    

    
  
Could you post the talkback id please from

/components/talkback.exe
Summary: Deer Parkes crashes, when loads xml with xsl stylesheet(transforming to svg) → Deer Park crashes, when loads xml with xsl stylesheet(transforming to svg)

    
    

    
  
I didn't send a "talkback-package", because of no Internet Conection at the
testing PC.
But i have saved the Output in a file.


    
    

    
  
I managed to get the files to run locally, will try to fix the test cases so
they run online.

Firefox crashes with TB - TB6386078X

-> New
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
Talkback Data

Stack Signature	 nsStyleContext::ApplyStyleFixups a00d3007
Product ID	FirefoxTrunk
Build ID	2005060306
Trigger Time	2005-06-04 09:28:36.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (001ec32f)
URL visited	
User Comments	
Since Last Crash	8580 sec
Total Uptime	8580 sec
Trigger Reason	Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/style/nsStyleContext.cpp,
line 360
Stack Trace 	
nsStyleContext::ApplyStyleFixups 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/style/nsStyleContext.cpp,
line 360]
nsCSSFrameConstructor::ConstructMathMLFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 6816]
nsCSSFrameConstructor::ConstructHTMLFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 5263]
nsCSSFrameConstructor::ConstructFrameInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7630]
nsCSSFrameConstructor::ConstructFrameInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7538]
nsCSSFrameConstructor::WrapFramesInFirstLineFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11868]
nsCSSFrameConstructor::ConstructPageBreakFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7447]
nsCSSFrameConstructor::ConstructFrameInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7664]
nsCSSFrameConstructor::ConstructFrameInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7538]
nsCSSFrameConstructor::WipeContainingBlock 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 13168]
nsCSSFrameConstructor::ConstructInline 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 12982]
nsCSSFrameConstructor::InitAndRestoreFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 6732]
nsCSSFrameConstructor::ReconstructDocElementHierarchy 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7743]
nsCSSFrameConstructor::ConstructFrameInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 7538]
nsCSSFrameConstructor::WrapFramesInFirstLineFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 11868]
nsCSSFrameConstructor::ConstructRootFrame 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 4485]
nsCSSFrameConstructor::ContentInserted 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9059]
PresShell::InitialReflow 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 2898]
nsXBLWindowDragHandler::nsXBLWindowDragHandler 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xbl/src/nsXBLWindowDragHandler.cpp,
line 57]
nsXMLContentSink::HandleStartElement 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xml/document/src/nsXMLContentSink.cpp,
line 940]
nsXMLContentSink::CloseElement 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xml/document/src/nsXMLContentSink.cpp,
line 478]
txMozillaTextOutput::`scalar deleting destructor'
txMozillaXMLOutput::endElement 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/extensions/transformiix/source/xslt/txMozillaXMLOutput.cpp,
line 270]
txExecutionState::getVariable 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/extensions/transformiix/source/xslt/txExecutionState.cpp,
line 239]
txMozillaXSLTProcessor::ImportStylesheet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/extensions/transformiix/source/xslt/txMozillaXSLTProcessor.cpp,
line 353]
Summary: Deer Park crashes, when loads xml with xsl stylesheet(transforming to svg) → Deer Park crashes, when loads xml with xsl stylesheet(transforming to svg) crash [@ nsStyleContext::ApplyStyleFixups a00d3007 ]

    
    

    
  
Stack suggests this is a dupe of bug 284889

    
    

    
  
You really want to reassign core bugs like this out of the Firefox product if
you want someone to look at them (eg I'm pretty close to automatically sending
all Firefox-product bugmail to /dev/null).

That said, before the crash I get the following:

###!!! ASSERTION: invalid container: 'Error', file
../../../../../mozilla/layout/svg/base/src/nsSVGPathGeometryFrame.cpp, line 851
###!!! ASSERTION: Null outerSVGFrame: 'Error', file
../../../../../mozilla/layout/svg/base/src/nsSVGPathGeometryFrame.cpp, line 787

(so we seem to have some invalid SVG here....)  This is repeated 5 or 6 times. 
Then I get:

###!!! ASSERTION: No style context found!: 'mStyleContext', file
../../../mozilla/layout/generic/nsIFrame.h, line 606

And then:

Program received signal SIGSEGV, Segmentation fault.
(gdb) frame
#0  0xb608e02b in nsCachedStyleData::GetStyleData (this=0x1c, aSID=@0xbfffcf90)
    at nsRuleNode.h:210

Note the bogus |this| pointer.  More precisely, we have an nsSVGGlyphFrame with
a null mStyleContext.  This happens because nsSVGGlyphFrame::Init bails out with
NS_ERROR_FAILURE before setting mStyleContext if it has no outer SVG frame.  But
nsCSSFrameConstructor::ConstructTextFrame (which is what constructs glyph
frames) never checks the rv of InitAndRestoreFrame, so the not-initialized frame
happily ends up in the tree and later crashes.

First we should always make sure to set mStyleContext before bailing out of Init
(anything done by nsFrame::Init MUST be done before local init starts,
basically; I realize that the current design of the SVG frame stuff makes this
really hard, which is why nsFrame::Init isn't even being called).  Second, the
caller should check the rv of InitAndRestoreFrame and do something sane.

Oh, and this isn't related to bug 284889.
Assignee: nobody → general
Component: General → SVG
Flags: blocking1.8b3?
Keywords: crash
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → ian
Hardware: PC → All
Version: unspecified → Trunk

    
    

    
  
Boris/dbaron/tor/jwatt, what can we do for 1.8 here?
Assignee: general → bzbarsky
Flags: blocking1.8b3? → blocking1.8b4?

    
    

    
  


  

        Attachment #187720 -
        Flags: superreview?(roc)

        Attachment #187720 -
        Flags: review?(dbaron)

    
  
Flags: blocking1.8b4? → blocking1.8b4+

        Attachment #187720 -
        Flags: superreview?(roc) → superreview+

    
  

        Attachment #187720 -
        Flags: approval1.8b3?

    
    

    
  
Comment on attachment 187720 [details] [diff] [review]
get the frame in a usable state, delete if Init failed

Sounds like this is a good thing to get into 1.8b3, but bz said "we probably
have other similar bugs lurking around".  Should another bug be on file?

/be

        Attachment #187720 -
        Flags: approval1.8b3? → approval1.8b3+

    
    

    
  
Checked in.  Bug 299351 filed to remind us that we should doublecheck the rest
of the svg frames.

Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
*** Bug 296806 has been marked as a duplicate of this bug. ***
Crash Signature: [@ nsStyleContext::ApplyStyleFixups a00d3007 ]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: